Enforcing server authentication based on a hardware token
First Claim
1. A method, comprising:
- receiving, by a hardware token from a client device, a chain of certificates comprising a server certificate and a first root certificate authority (CA) certificate, each certificate in the chain of certificates comprising a public key and a signature;
verifying, by a cryptography application running in a memory of the hardware token, the chain of certificates by;
verifying, in an iterative manner and starting with the server certificate as a selected certificate, a signature of the selected certificate using a next public key of a next certificate in the chain of certificates, wherein the next public key is considered authenticated and is added to a list of public keys upon the successful verification of the selected certificate;
omitting authentication of the next public key and tagging the list of public keys as authenticated upon determining that the next public key is present in an authenticated list stored by the hardware token and has been used less than a predetermined number of times; and
determining that the chain of certificates is verified in response to tagging the list of public keys as authenticated;
authenticating, by the hardware token and based on the verified chain of certificates, a public key of the server certificate in the chain of certificates;
encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate in the chain of certificates to obtain an encrypted secret message; and
sending, by the hardware token, the encrypted secret message to the client device.
1 Assignment
0 Petitions
Accused Products
Abstract
A method may include receiving, by a hardware token from a client device, a chain of certificates including a server certificate and a first root certificate authority (CA) certificate. The method may further include determining, by the hardware token, to offload validation of one or more certificates in the chain of certificates to the client device, and verifying, by a cryptography application running in a memory of the hardware token, using a trusted root CA certificate stored in the hardware token, each certificate in the chain of certificates. The method may further include authenticating, by the hardware token and based on the verification, a public key of a server certificate, encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate to obtain an encrypted secret message, and sending, by the hardware token, the encrypted secret message to the client device.
-
Citations
15 Claims
-
1. A method, comprising:
-
receiving, by a hardware token from a client device, a chain of certificates comprising a server certificate and a first root certificate authority (CA) certificate, each certificate in the chain of certificates comprising a public key and a signature; verifying, by a cryptography application running in a memory of the hardware token, the chain of certificates by; verifying, in an iterative manner and starting with the server certificate as a selected certificate, a signature of the selected certificate using a next public key of a next certificate in the chain of certificates, wherein the next public key is considered authenticated and is added to a list of public keys upon the successful verification of the selected certificate; omitting authentication of the next public key and tagging the list of public keys as authenticated upon determining that the next public key is present in an authenticated list stored by the hardware token and has been used less than a predetermined number of times; and determining that the chain of certificates is verified in response to tagging the list of public keys as authenticated; authenticating, by the hardware token and based on the verified chain of certificates, a public key of the server certificate in the chain of certificates; encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate in the chain of certificates to obtain an encrypted secret message; and sending, by the hardware token, the encrypted secret message to the client device. - View Dependent Claims (2, 3, 4)
-
-
5. A system, comprising:
-
a client device configured to; receive, over a network, a chain of certificates comprising a server certificate and a first root certificate authority (CA) certificate, each certificate in the chain of certificates comprising a public key and a signature; and a hardware token, communicatively associated with the client device, comprising a memory and a cryptography application running in the memory, the hardware token configured to; receive, from the client device, the chain of certificates; verify the chain of certificates by; verifying, in an iterative manner and starting with the server certificate as a selected certificate, a signature of the selected certificate using a next public key of a next certificate in the chain of certificates, wherein the next public key is considered authenticated and is added to a list of public keys upon the successful verification of the selected certificate; omitting authentication of the next public key and tagging the list of public keys as authenticated upon determining that the next public key is present in an authenticated list stored by the hardware token and has been used less than a predetermined number of times; and determining that the chain of certificates is verified in response to tagging the list of public keys as authenticated; authenticate, based on the verified chain of certificates, a public key of the server certificate in the chain of certificates; encrypt a secret message using the authenticated public key of the server certificate in the chain of certificates to obtain an encrypted secret message; and send the encrypted secret message to the client device. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. A non-transitory computer readable medium comprising instructions that, when executed by a processor, cause the processor to execute the steps of:
-
receiving, by a hardware token, from a client device, a chain of certificates comprising a server certificate and a first root certificate authority (CA) certificate, each certificate in the chain of certificates comprising a public key and a signature; verifying, by a cryptography application running in a memory of the hardware token, the chain of certificates by; verifying, in an iterative manner and starting with the server certificate as a selected certificate, a signature of the selected certificate using a next public key of a next certificate in the chain of certificates, wherein the next public key is considered authenticated and is added to a list of public keys upon the successful verification of the selected certificate; omitting authentication of the next public key and tagging the list of public keys as authenticated upon determining that the next public key is present in an authenticated list stored by the hardware token and has been used less than a predetermined number of times; and determining that the chain of certificates is verified in response to tagging the list of public keys as authenticated; authenticating, by the hardware token and based on the verified chain of certificates, a public key of the server certificate in the chain of certificates; encrypting, by the cryptography application, a secret message using the authenticated public key of the server certificate in the chain of certificates to obtain an encrypted secret message; and sending, by the hardware token, the encrypted secret message to the client device. - View Dependent Claims (12, 13, 14, 15)
-
Specification